Path: csiph.com!au2pb.net!feeder.erje.net!2.us.feeder.erje.net!news.glorb.com!usenet.stanford.edu!not-for-mail
From: up201407890@alunos.dcc.fc.up.pt
Newsgroups: gnu.bash.bug
Subject: Re: SHELLOPTS=xtrace security hardening
Date: Wed, 16 Dec 2015 15:33:25 +0100
Lines: 23
Approved: bug-bash@gnu.org
Message-ID: <mailman.14.1450276431.843.bug-bash@gnu.org>
References: <20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt> <566DAFC6.4040407@case.edu> <20151213220817.GC7138@chaz.gmail.com> <20151214180113.169546iutu72yw9k@webmail.alunos.dcc.fc.up.pt> <20151214173231.GA6524@chaz.gmail.com> <20151215003016.598611ow5f3lw4qo@webmail.alunos.dcc.fc.up.pt> <56701D21.3070700@case.edu> <20151215173342.GA12657@chaz.gmail.com> <567062DC.50209@case.edu>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Trace: usenet.stanford.edu 1450276431 11815 208.118.235.17 (16 Dec 2015 14:33:51 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: Stephane Chazelas <stephane.chazelas@gmail.com>, bug-bash@gnu.org
To: chet.ramey@case.edu
Envelope-to: bug-bash@gnu.org
In-Reply-To: <567062DC.50209@case.edu>
Content-Disposition: inline
User-Agent: Internet Messaging Program (IMP) H3 (4.2)
X-Virus-Scanned: amavisd-new at alunos.dcc.fc.up.pt
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 193.136.39.109
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref: csiph.com gnu.bash.bug:12031

Quoting "Chet Ramey" <chet.ramey@case.edu>:


> Which should not be affected by what we're talking about, which is not
> importing PS4 from the environment when uid == 0.


He later said "(Blocking PS4 and not SHELLOPTS=xtrace would work for  
me in that
regard)".

Still shows how useful xtrace is and how it is necessary.

In this case, yes, blocking PS4 would be best when uid == 0.

It could still be abused when something does setuid() to a uid other  
than 0 though, but obviously not as bad.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.